Compare commits
45 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 925a0eede9 | |||
| d2a27292b7 | |||
| 1472a695c5 | |||
| cbb55045ce | |||
| 02a49bdc41 | |||
| 7c757df414 | |||
| c44148e5bf | |||
| 32343527f2 | |||
| 18db12979d | |||
| 90fadfae6b | |||
| 57db8ba356 | |||
| c4c3d11ce8 | |||
| 55d56c36d1 | |||
| 03fc44ed67 | |||
| 96278af6ca | |||
| 6865550d03 | |||
| 98f3aa9c27 | |||
| 63e64444a7 | |||
| 3bc61afc81 | |||
| 405d0eac46 | |||
| 00014ed6ed | |||
| 8835c60c52 | |||
| 331a7ac6b7 | |||
| bd4fc0326a | |||
| 5dea0e5066 | |||
| 4f2d058085 | |||
| c6f9859ac6 | |||
| 61d781ff2a | |||
| ca0aaa1889 | |||
| 2dc334f1ac | |||
| 08a89fbe89 | |||
| b92f224bf5 | |||
| a6fede4d5d | |||
| f8ed128a91 | |||
| ccf77258fe | |||
| 5c2d257b47 | |||
| a2b933c354 | |||
| 268464dd14 | |||
| 2087a22bcc | |||
| d6e68ff447 | |||
| ba965ac88a | |||
| bed76f6f80 | |||
| 5a0f9f9189 | |||
| 3752c92e3b | |||
| 0b6e980926 |
@@ -28,11 +28,11 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout
|
||||
id: checkout
|
||||
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
|
||||
- name: Setup Node.js
|
||||
id: setup-node
|
||||
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
|
||||
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
|
||||
with:
|
||||
node-version-file: .node-version
|
||||
cache: npm
|
||||
@@ -60,7 +60,7 @@ jobs:
|
||||
- if: ${{ failure() && steps.diff.outcome == 'failure' }}
|
||||
name: Upload Artifact
|
||||
id: upload
|
||||
uses: actions/upload-artifact@v4
|
||||
uses: actions/upload-artifact@v6.0.0
|
||||
with:
|
||||
name: dist
|
||||
path: dist/
|
||||
|
||||
@@ -21,11 +21,11 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout
|
||||
id: checkout
|
||||
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
|
||||
- name: Setup Node.js
|
||||
id: setup-node
|
||||
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
|
||||
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
|
||||
with:
|
||||
node-version-file: .node-version
|
||||
cache: npm
|
||||
@@ -57,7 +57,7 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout
|
||||
id: checkout
|
||||
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- name: Run attest-provenance
|
||||
id: attest-provenance
|
||||
uses: ./
|
||||
|
||||
@@ -32,19 +32,19 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout
|
||||
id: checkout
|
||||
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
|
||||
- name: Initialize CodeQL
|
||||
id: initialize
|
||||
uses: github/codeql-action/init@df559355d593797519d70b90fc8edd5db049e7a2 # v3.29.9
|
||||
uses: github/codeql-action/init@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2
|
||||
with:
|
||||
languages: ${{ matrix.language }}
|
||||
source-root: src
|
||||
|
||||
- name: Autobuild
|
||||
id: autobuild
|
||||
uses: github/codeql-action/autobuild@df559355d593797519d70b90fc8edd5db049e7a2 # v3.29.9
|
||||
uses: github/codeql-action/autobuild@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2
|
||||
|
||||
- name: Perform CodeQL Analysis
|
||||
id: analyze
|
||||
uses: github/codeql-action/analyze@df559355d593797519d70b90fc8edd5db049e7a2 # v3.29.9
|
||||
uses: github/codeql-action/analyze@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2
|
||||
|
||||
@@ -29,7 +29,7 @@ jobs:
|
||||
date > artifact
|
||||
|
||||
- name: Attest build provenance
|
||||
uses: actions/attest-build-provenance@v2
|
||||
uses: actions/attest-build-provenance@v3
|
||||
env:
|
||||
INPUT_PRIVATE-SIGNING: ${{ inputs.sigstore == 'github' && 'true' || 'false' }}
|
||||
with:
|
||||
@@ -42,13 +42,13 @@ jobs:
|
||||
gh attestation verify ./artifact --owner "$GITHUB_REPOSITORY_OWNER"
|
||||
|
||||
- name: Upload build artifact
|
||||
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
|
||||
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
|
||||
with:
|
||||
path: "artifact"
|
||||
|
||||
- name: Report attestation prober success
|
||||
if: ${{ success() }}
|
||||
uses: masci/datadog@f0cad7cba58a34e65535732564c9bf174ee89006 # v1.9.2
|
||||
uses: masci/datadog@a3f481d2ed0f4e1edde2be2f564b94719d6d4bc2 # v1.9.3
|
||||
with:
|
||||
api-key: "${{ secrets.DATADOG_API_KEY }}"
|
||||
service-checks: |
|
||||
@@ -66,7 +66,7 @@ jobs:
|
||||
|
||||
- name: Report attestation prober failure
|
||||
if: ${{ failure() }}
|
||||
uses: masci/datadog@f0cad7cba58a34e65535732564c9bf174ee89006 # v1.9.2
|
||||
uses: masci/datadog@a3f481d2ed0f4e1edde2be2f564b94719d6d4bc2 # v1.9.3
|
||||
with:
|
||||
api-key: "${{ secrets.DATADOG_API_KEY }}"
|
||||
service-checks: |
|
||||
|
||||
@@ -46,16 +46,20 @@ attest:
|
||||
permissions:
|
||||
id-token: write
|
||||
attestations: write
|
||||
artifact-metadata: write
|
||||
```
|
||||
|
||||
The `id-token` permission gives the action the ability to mint the OIDC token
|
||||
necessary to request a Sigstore signing certificate. The `attestations`
|
||||
permission is necessary to persist the attestation.
|
||||
The `artifact-metadata` permission is required to generate artifact
|
||||
metadata storage records. If this permission is not included, the action
|
||||
will continue without creating the record.
|
||||
|
||||
1. Add the following to your workflow after your artifact has been built:
|
||||
|
||||
```yaml
|
||||
- uses: actions/attest-build-provenance@v2
|
||||
- uses: actions/attest-build-provenance@v3
|
||||
with:
|
||||
subject-path: '<PATH TO ARTIFACT>'
|
||||
```
|
||||
@@ -68,7 +72,7 @@ attest:
|
||||
See [action.yml](action.yml)
|
||||
|
||||
```yaml
|
||||
- uses: actions/attest-build-provenance@v2
|
||||
- uses: actions/attest-build-provenance@v3
|
||||
with:
|
||||
# Path to the artifact serving as the subject of the attestation. Must
|
||||
# specify exactly one of "subject-path", "subject-digest", or
|
||||
@@ -95,6 +99,12 @@ See [action.yml](action.yml)
|
||||
# the "subject-digest" parameter be specified. Defaults to false.
|
||||
push-to-registry:
|
||||
|
||||
# Whether to create a storage record for the artifact.
|
||||
# Requires that push-to-registry is set to true.
|
||||
# Requires that the "subject-name" parameter specify the fully-qualified
|
||||
# image name. Defaults to true.
|
||||
create-storage-record:
|
||||
|
||||
# Whether to attach a list of generated attestations to the workflow run
|
||||
# summary page. Defaults to true.
|
||||
show-summary:
|
||||
@@ -159,7 +169,7 @@ jobs:
|
||||
- name: Build artifact
|
||||
run: make my-app
|
||||
- name: Attest
|
||||
uses: actions/attest-build-provenance@v2
|
||||
uses: actions/attest-build-provenance@v3
|
||||
with:
|
||||
subject-path: '${{ github.workspace }}/my-app'
|
||||
```
|
||||
@@ -170,7 +180,7 @@ If you are generating multiple artifacts, you can attest all of them at the same
|
||||
time by using a wildcard in the `subject-path` input.
|
||||
|
||||
```yaml
|
||||
- uses: actions/attest-build-provenance@v2
|
||||
- uses: actions/attest-build-provenance@v3
|
||||
with:
|
||||
subject-path: 'dist/**/my-bin-*'
|
||||
```
|
||||
@@ -182,13 +192,13 @@ Alternatively, you can explicitly list multiple subjects with either a comma or
|
||||
newline delimited list:
|
||||
|
||||
```yaml
|
||||
- uses: actions/attest-build-provenance@v2
|
||||
- uses: actions/attest-build-provenance@v3
|
||||
with:
|
||||
subject-path: 'dist/foo, dist/bar'
|
||||
```
|
||||
|
||||
```yaml
|
||||
- uses: actions/attest-build-provenance@v2
|
||||
- uses: actions/attest-build-provenance@v3
|
||||
with:
|
||||
subject-path: |
|
||||
dist/foo
|
||||
@@ -209,7 +219,7 @@ attestation.
|
||||
- name: Calculate artifact digests
|
||||
run: |
|
||||
shasum -a 256 foo_0.0.1_* > subject.checksums.txt
|
||||
- uses: actions/attest-build-provenance@v2
|
||||
- uses: actions/attest-build-provenance@v3
|
||||
with:
|
||||
subject-checksums: subject.checksums.txt
|
||||
```
|
||||
@@ -282,7 +292,7 @@ jobs:
|
||||
push: true
|
||||
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
|
||||
- name: Attest
|
||||
uses: actions/attest-build-provenance@v2
|
||||
uses: actions/attest-build-provenance@v3
|
||||
id: attest
|
||||
with:
|
||||
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
|
||||
@@ -290,6 +300,25 @@ jobs:
|
||||
push-to-registry: true
|
||||
```
|
||||
|
||||
#### Artifact Metadata Storage Records
|
||||
|
||||
If the `push-to-registry` option is set to true, the Action will also
|
||||
emit an [Artifact Metadata Storage Record](https://docs.github.com/en/rest/orgs/artifact-metadata?apiVersion=2022-11-28#create-artifact-metadata-storage-record).
|
||||
Storage records enrich artifact metadata by capturing storage
|
||||
related details, such as which registry an image is hosted on
|
||||
and whether it's marked as active.
|
||||
|
||||
If you do not want to emit a storage record, set `create-storage-record` to `false`.
|
||||
|
||||
> **NOTE**: Storage records can only be created for artifacts
|
||||
> built from [organization-owned](https://docs.github.com/en/organizations/collaborating-with-groups-in-organizations/about-organizations)
|
||||
> repositories.
|
||||
|
||||
Artifacts associated with a storage record can be viewed by navigating to
|
||||
the `Linked Artifacts` page in your organization:
|
||||
`https://github.com/orgs/YOUR_ORG/artifacts`
|
||||
(replace `YOUR_ORG` with your organization name).
|
||||
|
||||
### Integration with `actions/upload-artifact`
|
||||
|
||||
If you'd like to create an attestation for an archive created with the
|
||||
@@ -304,7 +333,7 @@ artifact directly into the `subject-digest` input of the attestation action.
|
||||
path: dist/*
|
||||
name: artifact.zip
|
||||
|
||||
- uses: actions/attest-build-provenance@v2
|
||||
- uses: actions/attest-build-provenance@v3
|
||||
with:
|
||||
subject-name: artifact.zip
|
||||
subject-digest: sha256:${{ steps.upload.outputs.artifact-digest }}
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
// Jest Snapshot v1, https://goo.gl/fbAQLP
|
||||
// Jest Snapshot v1, https://jestjs.io/docs/snapshot-testing
|
||||
|
||||
exports[`main when a non-default OIDC issuer is used successfully run main 1`] = `
|
||||
{
|
||||
|
||||
+8
-1
@@ -36,6 +36,12 @@ inputs:
|
||||
and that the "subject-digest" parameter be specified. Defaults to false.
|
||||
default: false
|
||||
required: false
|
||||
create-storage-record:
|
||||
description: >
|
||||
Whether to create a storage record for the artifact.
|
||||
Requires that push-to-registry is set to true. Defaults to true.
|
||||
default: true
|
||||
required: false
|
||||
show-summary:
|
||||
description: >
|
||||
Whether to attach a list of generated attestations to the workflow run
|
||||
@@ -64,7 +70,7 @@ runs:
|
||||
steps:
|
||||
- uses: actions/attest-build-provenance/predicate@864457a58d4733d7f1574bd8821fa24e02cf7538 # predicate@2.0.0
|
||||
id: generate-build-provenance-predicate
|
||||
- uses: actions/attest@daf44fb950173508f38bd2406030372c1d1162b1 # v3.0.0
|
||||
- uses: actions/attest@e59cbc1ad1ac2d59339667419eb8cdde6eb61e3d # v3.2.0
|
||||
id: attest
|
||||
env:
|
||||
NODE_OPTIONS: "--max-http-header-size=32768"
|
||||
@@ -76,5 +82,6 @@ runs:
|
||||
predicate-type: ${{ steps.generate-build-provenance-predicate.outputs.predicate-type }}
|
||||
predicate: ${{ steps.generate-build-provenance-predicate.outputs.predicate }}
|
||||
push-to-registry: ${{ inputs.push-to-registry }}
|
||||
create-storage-record: ${{ inputs.create-storage-record }}
|
||||
show-summary: ${{ inputs.show-summary }}
|
||||
github-token: ${{ inputs.github-token }}
|
||||
|
||||
+16
-4
@@ -19,7 +19,7 @@ async function pMap(
|
||||
signal,
|
||||
} = {},
|
||||
) {
|
||||
return new Promise((resolve, reject_) => {
|
||||
return new Promise((resolve_, reject_) => {
|
||||
if (iterable[Symbol.iterator] === undefined && iterable[Symbol.asyncIterator] === undefined) {
|
||||
throw new TypeError(`Expected \`input\` to be either an \`Iterable\` or \`AsyncIterable\`, got (${typeof iterable})`);
|
||||
}
|
||||
@@ -42,10 +42,24 @@ async function pMap(
|
||||
let currentIndex = 0;
|
||||
const iterator = iterable[Symbol.iterator] === undefined ? iterable[Symbol.asyncIterator]() : iterable[Symbol.iterator]();
|
||||
|
||||
const signalListener = () => {
|
||||
reject(signal.reason);
|
||||
};
|
||||
|
||||
const cleanup = () => {
|
||||
signal?.removeEventListener('abort', signalListener);
|
||||
};
|
||||
|
||||
const resolve = value => {
|
||||
resolve_(value);
|
||||
cleanup();
|
||||
};
|
||||
|
||||
const reject = reason => {
|
||||
isRejected = true;
|
||||
isResolved = true;
|
||||
reject_(reason);
|
||||
cleanup();
|
||||
};
|
||||
|
||||
if (signal) {
|
||||
@@ -53,9 +67,7 @@ async function pMap(
|
||||
reject(signal.reason);
|
||||
}
|
||||
|
||||
signal.addEventListener('abort', () => {
|
||||
reject(signal.reason);
|
||||
});
|
||||
signal.addEventListener('abort', signalListener, {once: true});
|
||||
}
|
||||
|
||||
const next = async () => {
|
||||
|
||||
+60337
-3117
File diff suppressed because one or more lines are too long
+1
-1
@@ -7,7 +7,7 @@ export default tseslint.config(
|
||||
// Ignore non-project files
|
||||
{
|
||||
name: 'ignore',
|
||||
ignores: ['.github', 'dist', 'coverage', '**/*.json', 'jest.setup.js', 'eslint.config.mjs']
|
||||
ignores: ['.github', 'dist', 'coverage', '**/*.json', 'jest.setup.js', 'eslint.config.mjs', 'scripts']
|
||||
},
|
||||
// Use recommended rules from ESLint, TypeScript, and other plugins
|
||||
eslint.configs.recommended,
|
||||
|
||||
Generated
+872
-905
File diff suppressed because it is too large
Load Diff
+20
-15
@@ -24,6 +24,7 @@
|
||||
"node": ">=24"
|
||||
},
|
||||
"scripts": {
|
||||
"postinstall": "node scripts/postinstall.js",
|
||||
"bundle": "npm run format:write && npm run package",
|
||||
"ci-test": "jest",
|
||||
"format:write": "prettier --write **/*.ts",
|
||||
@@ -57,8 +58,12 @@
|
||||
"/dist/"
|
||||
],
|
||||
"transform": {
|
||||
"^.+\\.ts$": "ts-jest"
|
||||
"^.+\\.ts$": "ts-jest",
|
||||
"node_modules/@actions/.+\\.js$": "ts-jest"
|
||||
},
|
||||
"transformIgnorePatterns": [
|
||||
"node_modules/(?!@actions/)"
|
||||
],
|
||||
"coverageReporters": [
|
||||
"json-summary",
|
||||
"text",
|
||||
@@ -70,24 +75,24 @@
|
||||
]
|
||||
},
|
||||
"dependencies": {
|
||||
"@actions/attest": "^1.6.0",
|
||||
"@actions/core": "^1.11.1"
|
||||
"@actions/attest": "^2.2.1",
|
||||
"@actions/core": "^3.0.0"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@eslint/js": "^9.33.0",
|
||||
"@eslint/js": "^9.39.2",
|
||||
"@types/jest": "^30.0.0",
|
||||
"@types/node": "^24.2.1",
|
||||
"@vercel/ncc": "^0.38.3",
|
||||
"eslint": "^9.33.0",
|
||||
"@types/node": "^25.2.2",
|
||||
"@vercel/ncc": "^0.38.4",
|
||||
"eslint": "^9.39.2",
|
||||
"eslint-plugin-import": "^2.32.0",
|
||||
"eslint-plugin-jest": "^29.0.1",
|
||||
"jest": "^30.0.5",
|
||||
"eslint-plugin-jest": "^29.13.0",
|
||||
"jest": "^30.2.0",
|
||||
"jose": "^5.9.6",
|
||||
"markdownlint-cli": "^0.45.0",
|
||||
"nock": "^14.0.9",
|
||||
"prettier": "^3.6.2",
|
||||
"ts-jest": "^29.4.1",
|
||||
"typescript": "^5.9.2",
|
||||
"typescript-eslint": "^8.39.0"
|
||||
"markdownlint-cli": "^0.47.0",
|
||||
"nock": "^14.0.10",
|
||||
"prettier": "^3.8.1",
|
||||
"ts-jest": "^29.4.6",
|
||||
"typescript": "^5.9.3",
|
||||
"typescript-eslint": "^8.54.0"
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,59 @@
|
||||
/**
|
||||
* Postinstall script to patch ESM-only dependencies for CJS compatibility.
|
||||
*
|
||||
* @actions/core v3+ and its transitive dependencies are ESM-only
|
||||
* (exports only "import" condition). This script adds a "default"
|
||||
* export condition so that CJS bundlers (like @vercel/ncc) and test
|
||||
* runners (like Jest/ts-jest) can resolve the packages.
|
||||
*/
|
||||
const fs = require('fs')
|
||||
const path = require('path')
|
||||
|
||||
function patchPackage(pkgPath) {
|
||||
try {
|
||||
const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'))
|
||||
if (!pkg.exports) return
|
||||
|
||||
let patched = false
|
||||
for (const key of Object.keys(pkg.exports)) {
|
||||
const entry = pkg.exports[key]
|
||||
if (typeof entry === 'object' && entry['import'] && !entry['default']) {
|
||||
entry['default'] = entry['import']
|
||||
patched = true
|
||||
}
|
||||
}
|
||||
|
||||
if (patched) {
|
||||
fs.writeFileSync(pkgPath, JSON.stringify(pkg, null, 2) + '\n')
|
||||
console.log(
|
||||
`Patched ${pkg.name}@${pkg.version} exports with "default" condition`
|
||||
)
|
||||
}
|
||||
} catch (e) {
|
||||
// Ignore errors - the package might not be installed yet
|
||||
}
|
||||
}
|
||||
|
||||
function findPackageJsonFiles(dir) {
|
||||
const results = []
|
||||
try {
|
||||
const entries = fs.readdirSync(dir, { withFileTypes: true })
|
||||
for (const entry of entries) {
|
||||
const fullPath = path.join(dir, entry.name)
|
||||
if (entry.isDirectory() && entry.name !== '.cache') {
|
||||
results.push(...findPackageJsonFiles(fullPath))
|
||||
} else if (entry.name === 'package.json') {
|
||||
results.push(fullPath)
|
||||
}
|
||||
}
|
||||
} catch (e) {
|
||||
// Ignore permission or missing directory errors
|
||||
}
|
||||
return results
|
||||
}
|
||||
|
||||
const nodeModulesDir = path.join(__dirname, '..', 'node_modules', '@actions')
|
||||
const packageFiles = findPackageJsonFiles(nodeModulesDir)
|
||||
for (const pkgPath of packageFiles) {
|
||||
patchPackage(pkgPath)
|
||||
}
|
||||
Reference in New Issue
Block a user